Skip to content

/ ShellcodeDriver

forked from zerosum0x0/ShellcodeDriver

Windows driver to execute arbitrary usermode code (essentially same vulnerability as capcom.sys)

Apache-2.0 License
0 stars 33 forks
Star
Watch
master
1 branch 0 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

This branch is even with zerosum0x0:master.
Pull request Compare

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
shellcodedriver
 
 
shellcoderun
 
 
.gitignore
 
 
LICENSE
 
 
README.md
 
 
shellcodedriver.sln
 
 

README.md

ShellcodeDriver

Windows driver to execute arbitrary usermode code (essentially same vulnerability as capcom.sys)

Functionality

The driver takes an ioctl with a pointer to a user-land function (or shellcode). It disables SMEP, calls the function and passes a pointer to the MmGetSystemRoutineAddress as an argument.

https://github.com/zerosum0x0/ShellcodeDriver/blob/master/shellcodedriver/shellcodedriver.c#L80

Exploitation

If you want to get SYSTEM, you can use the following functions to copy a system processes token to your current process. The whole point of MmGetSystemRoutineAddress is these function pointers are simple to obtain.

  • PsGetCurrentProcessId
  • PsLookupProcessByProcessId
  • ObDereferenceObject
  • PsReferencePrimaryToken
  • PsDereferencePrimaryToken

About

Windows driver to execute arbitrary usermode code (essentially same vulnerability as capcom.sys)

Topics

windows driver execute arbitrary code

Resources

Readme

License

Apache-2.0 License

Releases

No releases published

Packages

No packages published

Languages

You can’t perform that action at this time.